Defcon 14 Wrapup, at Long Last

Security Fix is just now getting around to blogging about some of the other highlights from the Defcon hacker conference I attended this week in Las Vegas. (I had to recharge my batteries after sleeping fewer than four hours between Saturday and Monday.) I realized I never mentioned a Defcon talk from Friday given by Thomas X. Grasso, who's part of the FBI's National Cyber-Forensics and Training Alliance.

Perhaps the funniest and most engaging speaker I've heard from the likes of the FBI, Grasso gave a fantastic talk about what law enforcement really means when it says most cyber criminals running spam, spyware and virus attacks on the Internet today are really just organized crime groups whose turf is the Internet. Some, he said, are even grouped hierarchically much like U.S.- based mafia-style crime syndicates, illustrating this point with a graphic that showed how leaders of one cyber crime group assumed Italian titles such as "Capo" ("boss") and "Capo di Capi" ("boss of bosses").

Grasso also showed a very well-done video advertising the services of "Carderplanet," a now-disbanded group of online thieves that the FBI and international law enforcement are still chasing. The short video was a slick adverising promo for Carderplanet's services and how they might help your business, but the neatly choreographed spot never once mentioned that the services were completely illegal. (If I can wrangle a copy of the video, I'll post it in here, as it's pretty captivating.)

While I caught a handful of Defcon presentations on Saturday, I spent most of the day wandering around meeting people and dropping in on the various competitions. I threw a few softballs wide of the mark at the Defcon dunk tank, which ultimately raised $3,686 for the Electronic Frontier Foundation. (Defcon founder Jeff Moss later rounded that figure up to a cool $7,500). A fundraising party at the conference also raised another $2,306 for the foundation.

Saturday evening was the key night for Defcon parties, and I was privileged enough to finagle a personal invite to Caezar's Challenge, an annual Defcon bash hosted by Riley "Caezar" Eller, who encourages attendees to put their heads together and come up with inventive solutions to a series of mental and technical brain teasers. One of this year's challenges was a riff off a Black Hat presentation by Greg Hoglund, who showed how he could beat an anti-cheating technology in the online role-playing game World of Warcraft using rootkits he developed. The second challenge was to "construct a theory of hacking human perception." I saw a handful of party-goers sitting in a circle on the floor of the hotel suite working on the challenge, but most attendees were mingling (present company included).

I almost didn't make it into the challenge at all. Armed with the necessary ninja-star sticker plastered to my press badge, I entered via a darkened, adjacent suite full of revelers dancing to the blaring beat of a techno DJ, but didn't see any sign of hackers working on a challenge. (I was told that in previous years the walls were plastered with challengees' working notes.)

It wasn't until an hour later that I spotted a small gap at the far end of the partition separating us from the next room. The guy guarding the passageway refused to let me by without "the password," which I didn't have. I was told I could get in if I managed to con it out of someone in the room with me. After a few minutes of futile attempts, I asked the guy guarding the door to find Caezar and request special permission. The sentry returned a few minutes later and let me in, whispering "All roads lead to Rome" in my ear as I slipped by. Two minutes later, I yanked out my cell phone and text-messaged the password to two other partiers who I'd been chatting with. That turned out to be a wise move, as they introduced me to a posse of clueful and well-connected folks who should be solid sources of helpful information on security stories going forward.

Later that morning around sunrise, I was invited to breakfast with Juniper researcher Mike Lynn (the source of most of 2005's Black Hat drama ), as well as some guys from the Shmoo Group and a number of others. I had a full three hours of sleep before I had to check out of my hotel, after which I staggered back to the Riveria to catch a few more talks and Defcon's closing cermonies, where Moss and others announced the winners of the various annual competitions.

This year's Defcon attracted nearly 7,000 attendees, easily a record. One of the contests this year was to see who could come up with the most ingenious hack for the Defcon badges, which this year featured the trademark Defcon happyface-and-crossbones logo with a pair of alternating-flash light-emitting diodes for the eyes. A number of people replaced one or both of the blue LEDs with different colors, but others went quite a bit further, like conference attendee "Zane," who fashioned a flamethrower for the smileyface's mouth.

The winning hacked badge was created by Scott Scheferman, an audiophile and DJ who said he wasn't even aware that there was a prize. Scheferman hooked his LEDs up to a homemade synthesizer so that the device emitted an odd array of bleeps and tones along with the flashes, creating a kind of random music. Following Scheferman's demo, atttendees were asked to hold their badges aloft as the lights were dimmed, and the room suddenly swam in a sea of blinking, undulating blue light.

This year's "beverage-cooling contest" was a sight to behold (and quite a ball for participants, who wasted no time in sampling the icy drinks). The crown went to Las Vegas locals Bryan and Rob from DC702, who, on their best run, dropped the temperature of a beer from the local 92.5 degrees to 36.1 degrees in about 120 seconds.

One of the highlights of Defcon was the "Defcon Bots" competition, in which different teams competed to build a computer-controlled Airsoft gun to shoot down targets, wherein no human control is allowed. Team OCTOPI's setup blasted away the competition, using an infrared laser to snipe 30 targets with 31 shots in true "Terminator" fashion, in less than 38 seconds.

Brian Krebs - washingtonpost.com

Defcon annually features a "Running Man," contest, which requires teams using an awe-inspiring assortment of wireless gear to zero in on a roving human carrying a wireless beacon. The contest hit a snag this year when the local police got spooked after seeing contestants wandering around the environs with massive antennas and other wireless hacking apparati protruding from all angles of their bodies, so the hunt was limited to the Riviera's immediate property. The Running Man himself was located after about 15 minutes of continuous movement.

Next year promises even more competitions, including a Bluetooth shootout and a new, potentially rewarding contest tentatively named "Buzzword Survivor." Defcon goon (as Defcon lovingly calls its security team) and Gartner analyst Paul Proctor put it this way: "One thing we always felt was missing from Defcon: There are no security [company] vendors here. And we know how much you all enjoy vendor presentations, so imagine 10 chairs set up where [contestants] are required to listen to 48 straight hours of vendor presentations."

As presently imagined, participants who successfully sit through two days' worth of mind-numbing jargon will win a $10,000 prize (no word yet whether participants will be allowed to leave their seats to take care of certain necessities). Anyone planning to attend next year's Defcon 15 who is brave or foolhardy to endure the brainwashing should send an email to buzzwordsurvivor[at]gmail[dot]com.

The winning badge was effectively an event-generator tapping the +3v from the IC chip to be able to leverage the patterns on board, and run them via an installed 1/4" stereo jack to the modular cwejman synth's envelope generator and LPF cutoff frequency modulation jacks. This allowed for some techno-style beats to be produced. There were also some piezo tweeters installed on the badge for proof of concept and troubleshooting. With a little software re-programming of the IC, it may be possible to vary the voltage and create a crude VCO out of the badge...